CVE-2025-14537 is a SQL injection vulnerability identified in version 1.0 of the code-projects Class and Exam Timetable Management software, specifically in the /preview7.php script. The vulnerability arises from improper sanitization of the course_year_section/semester parameter, which an attacker can manipulate to inject arbitrary SQL code. This injection flaw allows remote attackers to execute unauthorized SQL queries on the backend database without requiring authentication or user interaction. The CVSS 4.0 base score is 6.9 (medium), reflecting the network attack vector, low attack complexity, and no privileges or user interaction needed. The vulnerability can lead to partial compromise of confidentiality, integrity, and availability of the affected system’s data, such as unauthorized data disclosure, modification, or deletion. Although no active exploitation has been reported, a public exploit is available, increasing the likelihood of future attacks. The vulnerability affects only version 1.0 of the software, which is used primarily by educational institutions to manage class and exam timetables. The lack of vendor patches or updates at this time means organizations must implement mitigations themselves. The vulnerability does not involve any additional security controls like sandboxing or encryption that might mitigate impact, making it critical for affected users to address promptly.

For European organizations, especially educational institutions using the affected software, this vulnerability poses a significant risk of unauthorized access to sensitive academic scheduling data and potentially other connected database information. Exploitation could lead to data breaches involving student or staff information, timetable manipulation causing operational disruption, or deletion of critical scheduling data impacting academic activities. The remote and unauthenticated nature of the exploit increases exposure, as attackers can launch attacks from anywhere without needing credentials. This could also serve as a foothold for further network intrusion or lateral movement within institutional networks. The impact on confidentiality, integrity, and availability could disrupt academic operations and damage institutional reputation. Given the public availability of an exploit, the risk of targeted attacks against European educational entities is elevated. Organizations lacking robust monitoring or incident response capabilities may face prolonged undetected compromise.

Organizations should immediately audit their use of code-projects Class and Exam Timetable Management version 1.0 and isolate affected instances. Since no official patch is currently available, implement strict input validation and sanitization on the course_year_section/semester parameter to prevent SQL injection. Employ parameterized queries or prepared statements in the application code to eliminate direct SQL command injection. Restrict network access to the affected application to trusted IP ranges where possible and monitor logs for suspicious query patterns or repeated access attempts to /preview7.php. Deploy web application firewalls (WAFs) with SQL injection detection rules tailored to this vulnerability. Conduct regular database backups to enable recovery in case of data corruption or deletion. Engage with the vendor or community for updates or patches and plan for an upgrade once available. Educate IT and security teams about this vulnerability and the importance of rapid incident response. Consider network segmentation to limit potential lateral movement if compromise occurs.